Home > Vulnerability Database > CVE-2021-27911

Mend.io Vulnerability Database

CVE-2021-27911

Date: August 30, 2021

Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc.

Language: PHP

Severity Score

8.3

Related Resources (5)

Url: https://github.com/mautic/mautic/security/advisories/GHSA-72hm-fx78-xwhc

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-27911

Url: https://github.com/mautic/mautic

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27911.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2021-27911

Severity Score

8.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	8.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-27911

Date: August 30, 2021

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?